The Identities page of Identity Threat Detection & Response (ITDR) provides a complete inventory of all user accounts discovered across your connected identity sources. It gives you visibility into each identity's risk score, group memberships, activity history, and associated alerts, helping you understand your identity attack surface at a glance.
Identity Inventory
The Identities page lists all accounts synced from your connected identity providers. Each row displays:
| Column | Description |
|---|---|
| Account status | Displays if the account is active, or only enabled for one of two IdP's. If the identity is disabled in both Entra ID and Okta, it needs to be manually re-enabled from there. |
| Alerts | Number of alerts associated with the identity. |
| Dark web exposure | Displays if the identity is determined to have been exposed in password and data breaches. |
| Dark web monitoring | Displays whether the identity is being monitored or not for password and data breaches. |
| Identity | Email address of the user. |
| Last alert triggered | Time the last alert was triggered. |
| Login restriction | Displays the name of the login restriction group set in Configurations > Login restriction. This group defines allowed countries and login hours. |
| MFA protection | Displays if multi-factor authentication is fully enabled, only enabled for one of two IdP's, or completely disabled. |
| Posture | The security posture checks that the related identity matched (Users without Multi-Factor Authentication configured, guest inactive for >90 days, etc.) |
| Protection enabled | Displays whether the identity is being monitored with ITDR. Each identity with Protection enabled is counted towards your subscription usage. You can free up a license by disabling the toggle for protection, then enable protection as needed for other identities. |
| Source | Displays the IdP's the identity is connected to. |
| User type | Type of user: admin or member. |
Identity Detail View
Click on any identity to open a detailed profile. The identity detail view includes:
- Okta/Entra ID Identity: Displays the user's information and statuses as gathered from the IdP.
- Endpoint: When possible to correlate the identity to an endpoint, this displays the OS type, machine IP, OS platform, and machine ID.
- Dark web monitoring: When an identity is exposed, this shows leaked data like email address, compromised computer, and domains using the compromised email.
Response Actions
Response actions can be started directly from the Identities page. If ITDR is linked to both Entra ID and Okta, you can choose the identity provider(s) for the action.
| Action | Description |
|---|---|
| Add to dark web monitoring | Monitor the identity for password and data breaches. |
| Remove from dark web monitoring | Stop monitoring the identity for password and data breaches. |
| Disable user | Suspends access to the account. The user cannot sign in until the account is re-enabled through your IdP. The user is removed from the ITDR pages and cannot be re-enabled through OneView. Add a note so other admins understand why you disabled the user. |
| Remove user from the group (Entra) | Removes the selected users from an Entra group, revoking access and permissions granted by that group. If a malicious actor has access to a privileged account, remove that user from the group granting them privileged access to revoke the permissions. |
| Enforce 2FA | Forces the user to set up two-factor authentication (2FA) at their next login. We recommended enforcing 2FA for all users. |
| Revoke user session | Terminates all active sessions for the account and requires them to log in again from each device. After resetting a password, use this option to lock malicious actors out of accounts. |
| Force change password | Forces the user to set a new password the next time they sign-in. |
| Export to .csv | Export the data in the selected rows to a CSV file. |
| Export to .xlsx | Export the data in the selected rows to a XLSX file. |
Back to ITDR Guide